From 66cd160f1dd48c0c924dc92b4dcab8abea1c825f Mon Sep 17 00:00:00 2001 From: Federico Di Pierro Date: Tue, 4 Feb 2025 10:21:27 +0100 Subject: [PATCH] new(cmake,userspace): port Falco to use new container plugin. It will be shipped by default hence it is present in default config. Signed-off-by: Federico Di Pierro --- cmake/modules/cares.cmake | 76 +++++ cmake/modules/curl.cmake | 100 +++++++ cmake/modules/driver.cmake | 4 +- cmake/modules/falcosecurity-libs.cmake | 4 +- cmake/modules/grpc.cmake | 274 ++++++++++++++++++ cmake/modules/openssl.cmake | 81 ++++++ falco.yaml | 53 ++-- userspace/falco/CMakeLists.txt | 1 + .../falco/app/actions/init_inspectors.cpp | 45 --- userspace/falco/configuration.cpp | 73 +++-- userspace/falco/configuration.h | 6 +- userspace/falco/outputs_http.h | 2 + 12 files changed, 617 insertions(+), 102 deletions(-) create mode 100644 cmake/modules/cares.cmake create mode 100644 cmake/modules/curl.cmake create mode 100644 cmake/modules/grpc.cmake create mode 100644 cmake/modules/openssl.cmake diff --git a/cmake/modules/cares.cmake b/cmake/modules/cares.cmake new file mode 100644 index 00000000..36a3f0d6 --- /dev/null +++ b/cmake/modules/cares.cmake @@ -0,0 +1,76 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# Copyright (C) 2023 The Falco Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License +# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# or implied. See the License for the specific language governing permissions and limitations under +# the License. +# + +option(USE_BUNDLED_CARES "Enable building of the bundled c-ares" ${USE_BUNDLED_DEPS}) + +if(CARES_INCLUDE) + # we already have c-ares +elseif(NOT USE_BUNDLED_CARES) + find_path(CARES_INCLUDE NAMES cares/ares.h ares.h) + find_library(CARES_LIB NAMES cares) + if(CARES_INCLUDE AND CARES_LIB) + message(STATUS "Found c-ares: include: ${CARES_INCLUDE}, lib: ${CARES_LIB}") + else() + message(FATAL_ERROR "Couldn't find system c-ares") + endif() +else() + if(BUILD_SHARED_LIBS) + set(CARES_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX}) + set(CARES_STATIC_OPTION "Off") + else() + set(CARES_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX}) + set(CARES_STATIC_OPTION "On") + endif() + set(CARES_SRC "${PROJECT_BINARY_DIR}/c-ares-prefix/src/c-ares") + set(CARES_INCLUDE "${CARES_SRC}/include/") + set(CARES_LIB "${CARES_SRC}/lib/libcares${CARES_LIB_SUFFIX}") + + if(NOT TARGET c-ares) + message(STATUS "Using bundled c-ares in '${CARES_SRC}'") + ExternalProject_Add( + c-ares + PREFIX "${PROJECT_BINARY_DIR}/c-ares-prefix" + URL "https://github.com/c-ares/c-ares/releases/download/v1.33.1/c-ares-1.33.1.tar.gz" + URL_HASH "SHA256=06869824094745872fa26efd4c48e622b9bd82a89ef0ce693dc682a23604f415" + BUILD_IN_SOURCE 1 + CMAKE_ARGS -DCMAKE_POLICY_DEFAULT_CMP0091:STRING=NEW + -DCMAKE_MSVC_RUNTIME_LIBRARY=${CMAKE_MSVC_RUNTIME_LIBRARY} + -DCARES_SHARED=${BUILD_SHARED_LIBS} + -DCARES_STATIC=${CARES_STATIC_OPTION} + -DCARES_STATIC_PIC=${ENABLE_PIC} + -DCARES_BUILD_TOOLS=Off + -DCARES_INSTALL=Off + BUILD_BYPRODUCTS ${CARES_INCLUDE} ${CARES_LIB} + INSTALL_COMMAND "" + ) + install( + FILES "${CARES_LIB}" + DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + ) + install( + DIRECTORY "${CARES_INCLUDE}" + DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + ) + endif() + +endif() + +if(NOT TARGET c-ares) + add_custom_target(c-ares) +endif() + +include_directories("${CARES_INCLUDE}") diff --git a/cmake/modules/curl.cmake b/cmake/modules/curl.cmake new file mode 100644 index 00000000..a7c69d0d --- /dev/null +++ b/cmake/modules/curl.cmake @@ -0,0 +1,100 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# Copyright (C) 2023 The Falco Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License +# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# or implied. See the License for the specific language governing permissions and limitations under +# the License. +# + +option(USE_BUNDLED_CURL "Enable building of the bundled curl" ${USE_BUNDLED_DEPS}) + +include(openssl) +include(zlib) + +if(CURL_INCLUDE_DIRS) + # we already have curl +elseif(NOT USE_BUNDLED_CURL) + find_package(CURL REQUIRED) + message(STATUS "Found CURL: include: ${CURL_INCLUDE_DIRS}, lib: ${CURL_LIBRARIES}") +else() + if(BUILD_SHARED_LIBS) + set(CURL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX}) + set(CURL_STATIC_OPTION) + else() + set(CURL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX}) + set(CURL_STATIC_OPTION --disable-shared) + endif() + set(CURL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/curl-prefix/src/curl") + set(CURL_INCLUDE_DIRS "${CURL_BUNDLE_DIR}/include/") + set(CURL_LIBRARIES "${CURL_BUNDLE_DIR}/lib/.libs/libcurl${CURL_LIB_SUFFIX}") + + if(NOT USE_BUNDLED_OPENSSL) + set(CURL_SSL_OPTION "--with-ssl") + else() + set(CURL_SSL_OPTION "--with-ssl=${OPENSSL_INSTALL_DIR}") + message(STATUS "Using SSL for curl in '${OPENSSL_INSTALL_DIR}'") + endif() + + if(NOT USE_BUNDLED_ZLIB) + set(CURL_ZLIB_OPTION "--with-zlib") + else() + set(CURL_ZLIB_OPTION "--with-zlib=${ZLIB_SRC}") + message(STATUS "Using zlib for curl in '${ZLIB_SRC}'") + endif() + message(STATUS "Using bundled curl in '${CURL_BUNDLE_DIR}'") + + if(NOT ENABLE_PIC) + set(CURL_PIC_OPTION) + else() + set(CURL_PIC_OPTION "--with-pic") + endif() + + if(NOT TARGET curl) + ExternalProject_Add( + curl + PREFIX "${PROJECT_BINARY_DIR}/curl-prefix" + DEPENDS openssl zlib + URL "https://github.com/curl/curl/releases/download/curl-8_7_1/curl-8.7.1.tar.bz2" + URL_HASH "SHA256=05bbd2b698e9cfbab477c33aa5e99b4975501835a41b7ca6ca71de03d8849e76" + CONFIGURE_COMMAND + ./configure ${CURL_SSL_OPTION} ${CURL_ZLIB_OPTION} ${CURL_STATIC_OPTION} + ${CURL_PIC_OPTION} --enable-optimize --disable-curldebug --disable-rt --enable-http + --disable-ftp --disable-file --disable-ldap --disable-ldaps --disable-rtsp + --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb + --disable-smtp --disable-gopher --disable-sspi --disable-ntlm-wb --disable-tls-srp + --without-winssl --without-polarssl --without-cyassl --without-nss --without-axtls + --without-librtmp --without-winidn --without-libidn2 --without-libpsl + --without-nghttp2 --without-libssh2 --with-ca-path=/etc/ssl/certs/ + --disable-threaded-resolver --without-brotli --without-zstd + BUILD_COMMAND make + BUILD_IN_SOURCE 1 + BUILD_BYPRODUCTS ${CURL_LIBRARIES} + INSTALL_COMMAND "" + ) + install( + FILES "${CURL_LIBRARIES}" + DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + ) + install( + DIRECTORY "${CURL_INCLUDE_DIRS}curl" + DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + FILES_MATCHING + PATTERN "*.h" + ) + endif() +endif() + +if(NOT TARGET curl) + add_custom_target(curl) +endif() + +include_directories("${CURL_INCLUDE_DIRS}") diff --git a/cmake/modules/driver.cmake b/cmake/modules/driver.cmake index 292a3b12..43f4a3d3 100644 --- a/cmake/modules/driver.cmake +++ b/cmake/modules/driver.cmake @@ -35,9 +35,9 @@ else() # FALCOSECURITY_LIBS_VERSION. In case you want to test against another driver version (or # branch, or commit) just pass the variable - ie., `cmake -DDRIVER_VERSION=dev ..` if(NOT DRIVER_VERSION) - set(DRIVER_VERSION "cb93f4b3d75b7c61f3056fa8b08fb904d9aa13fc") + set(DRIVER_VERSION "595bb7337f7d09d112d2cfffbcc1467093e88079") set(DRIVER_CHECKSUM - "SHA256=70592c7651032d528ee945a1cb63b6488546a67f46c545493eefe3d2777b4023" + "SHA256=aa57cd907a652520ed58fa01bc81894ae4d1049e82ee3871337b746d018aac02" ) endif() diff --git a/cmake/modules/falcosecurity-libs.cmake b/cmake/modules/falcosecurity-libs.cmake index 74598b93..fc751508 100644 --- a/cmake/modules/falcosecurity-libs.cmake +++ b/cmake/modules/falcosecurity-libs.cmake @@ -42,9 +42,9 @@ else() # version (or branch, or commit) just pass the variable - ie., `cmake # -DFALCOSECURITY_LIBS_VERSION=dev ..` if(NOT FALCOSECURITY_LIBS_VERSION) - set(FALCOSECURITY_LIBS_VERSION "cb93f4b3d75b7c61f3056fa8b08fb904d9aa13fc") + set(FALCOSECURITY_LIBS_VERSION "595bb7337f7d09d112d2cfffbcc1467093e88079") set(FALCOSECURITY_LIBS_CHECKSUM - "SHA256=70592c7651032d528ee945a1cb63b6488546a67f46c545493eefe3d2777b4023" + "SHA256=aa57cd907a652520ed58fa01bc81894ae4d1049e82ee3871337b746d018aac02" ) endif() diff --git a/cmake/modules/grpc.cmake b/cmake/modules/grpc.cmake new file mode 100644 index 00000000..288cf27f --- /dev/null +++ b/cmake/modules/grpc.cmake @@ -0,0 +1,274 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# Copyright (C) 2023 The Falco Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License +# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# or implied. See the License for the specific language governing permissions and limitations under +# the License. +# + +option(USE_BUNDLED_GRPC "Enable building of the bundled grpc" ${USE_BUNDLED_DEPS}) + +if(GRPC_INCLUDE) + # we already have grpc +elseif(NOT USE_BUNDLED_GRPC) + # gRPC + find_package(gRPC CONFIG) + if(gRPC_FOUND) + message(STATUS "Using gRPC ${gRPC_VERSION}") + set(GPR_LIB gRPC::gpr) + set(GRPC_LIB gRPC::grpc) + set(GRPCPP_LIB gRPC::grpc++) + + # gRPC C++ plugin + get_target_property(GRPC_CPP_PLUGIN gRPC::grpc_cpp_plugin LOCATION) + if(NOT GRPC_CPP_PLUGIN) + message(FATAL_ERROR "System grpc_cpp_plugin not found") + endif() + + # gRPC include dir + properly handle grpc{++,pp} + get_target_property(GRPC_INCLUDE gRPC::grpc++ INTERFACE_INCLUDE_DIRECTORIES) + find_path( + GRPCXX_INCLUDE + NAMES grpc++/grpc++.h + PATHS ${GRPC_INCLUDE} + ) + if(NOT GRPCXX_INCLUDE) + find_path( + GRPCPP_INCLUDE + NAMES grpcpp/grpcpp.h + PATHS ${GRPC_INCLUDE} + ) + add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1) + endif() + else() + # Fallback to manually find libraries; Some distro, namely Ubuntu focal, do not install gRPC + # config cmake module + find_library(GPR_LIB NAMES gpr) + if(GPR_LIB) + message(STATUS "Found gpr lib: ${GPR_LIB}") + else() + message(FATAL_ERROR "Couldn't find system gpr") + endif() + find_path(GRPCXX_INCLUDE NAMES grpc++/grpc++.h) + if(GRPCXX_INCLUDE) + set(GRPC_INCLUDE ${GRPCXX_INCLUDE}) + else() + find_path(GRPCPP_INCLUDE NAMES grpcpp/grpcpp.h) + set(GRPC_INCLUDE ${GRPCPP_INCLUDE}) + add_definitions(-DGRPC_INCLUDE_IS_GRPCPP=1) + endif() + find_library(GRPC_LIB NAMES grpc) + find_library(GRPCPP_LIB NAMES grpc++) + if(GRPC_INCLUDE + AND GRPC_LIB + AND GRPCPP_LIB + ) + message( + STATUS + "Found grpc: include: ${GRPC_INCLUDE}, C lib: ${GRPC_LIB}, C++ lib: ${GRPCPP_LIB}" + ) + else() + message(FATAL_ERROR "Couldn't find system grpc") + endif() + find_program(GRPC_CPP_PLUGIN grpc_cpp_plugin) + if(NOT GRPC_CPP_PLUGIN) + message(FATAL_ERROR "System grpc_cpp_plugin not found") + endif() + endif() +else() + include(cares) + include(protobuf) + include(zlib) + include(openssl) + if(BUILD_SHARED_LIBS) + set(GRPC_OPENSSL_STATIC_LIBS_OPTION FALSE) + else() + set(GRPC_OPENSSL_STATIC_LIBS_OPTION TRUE) + endif() + include(re2) + set(GRPC_SRC "${PROJECT_BINARY_DIR}/grpc-prefix/src/grpc") + set(GRPC_INSTALL_DIR "${GRPC_SRC}/target") + set(GRPC_INCLUDE "${GRPC_INSTALL_DIR}/include" "${GRPC_SRC}/third_party/abseil-cpp") + set(GPR_LIB "${GRPC_SRC}/libgpr.a") + set(GRPC_LIB "${GRPC_SRC}/libgrpc.a") + set(GRPCPP_LIB "${GRPC_SRC}/libgrpc++.a") + set(GRPC_CPP_PLUGIN "${GRPC_SRC}/grpc_cpp_plugin") + set(GRPC_MAIN_LIBS "") + list( + APPEND + GRPC_MAIN_LIBS + "${GPR_LIB}" + "${GRPC_LIB}" + "${GRPCPP_LIB}" + "${GRPC_SRC}/libgrpc++_alts.a" + "${GRPC_SRC}/libgrpc++_error_details.a" + "${GRPC_SRC}/libgrpc++_reflection.a" + "${GRPC_SRC}/libgrpc++_unsecure.a" + "${GRPC_SRC}/libgrpc_plugin_support.a" + "${GRPC_SRC}/libgrpc_unsecure.a" + "${GRPC_SRC}/libgrpcpp_channelz.a" + ) + + get_filename_component(PROTOC_DIR ${PROTOC} PATH) + + if(NOT TARGET grpc) + message(STATUS "Using bundled grpc in '${GRPC_SRC}'") + + # fixme(leogr): this workaround is required to inject the missing deps (built by gRCP + # cmakefiles) into target_link_libraries later note: the list below is manually generated + # starting from the output of pkg-config --libs grpc++ + set(GRPC_LIBRARIES "") + list( + APPEND + GRPC_LIBRARIES + "${GRPC_SRC}/libaddress_sorting.a" + "${GRPC_SRC}/libupb.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_hash.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_city.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/hash/libabsl_low_level_hash.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_raw_hash_set.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/container/libabsl_hashtablez_sampler.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_statusor.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/status/libabsl_status.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_functions.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/profiling/libabsl_exponential_biased.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_optional_access.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/types/libabsl_bad_variant_access.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_str_format_internal.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_synchronization.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/synchronization/libabsl_graphcycles_internal.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_stacktrace.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_symbolize.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_debugging_internal.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/debugging/libabsl_demangle_internal.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_malloc_internal.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_civil_time.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_strings_internal.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_base.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_spinlock_wait.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/numeric/libabsl_int128.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_throw_delegate.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_raw_logging_internal.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/base/libabsl_log_severity.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/time/libabsl_time_zone.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cord_internal.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_info.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/strings/libabsl_cordz_handle.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_pool_urbg.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_hwaes_impl.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_randen_slow.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_seed_material.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_internal_platform.a" + "${GRPC_SRC}/third_party/abseil-cpp/absl/random/libabsl_random_seed_gen_exception.a" + ) + + # Make abseil-cpp build compatible with gcc-13 See + # https://patchwork.yoctoproject.org/project/oe/patch/20230518093301.2938164-1-Martin.Jansa@gmail.com/ + # TO BE DROPPED once we finally upgrade grpc... + set(GRPC_PATCH_CMD + sh + -c + "sed -i '20s/^/#include /' ${GRPC_SRC}/third_party/abseil-cpp/absl/strings/internal/str_format/extension.h" + ) + + # Zig workaround: Add a PATCH_COMMAND to grpc cmake to fixup emitted -march by abseil-cpp + # cmake module, making it use a name understood by zig for arm64. See + # https://github.com/abseil/abseil-cpp/blob/master/absl/copts/GENERATED_AbseilCopts.cmake#L226. + if(CMAKE_C_COMPILER MATCHES "zig") + message(STATUS "Enabling zig workaround for abseil-cpp") + set(GRPC_PATCH_CMD + ${GRPC_PATCH_CMD} + && + sh + -c + "sed -i 's/armv8-a/cortex_a57/g' ${GRPC_SRC}/third_party/abseil-cpp/absl/copts/GENERATED_AbseilCopts.cmake" + ) + endif() + + ExternalProject_Add( + grpc + PREFIX "${PROJECT_BINARY_DIR}/grpc-prefix" + DEPENDS openssl protobuf c-ares zlib re2 + GIT_REPOSITORY https://github.com/grpc/grpc.git + GIT_TAG v1.44.0 + GIT_SUBMODULES "third_party/abseil-cpp" + CMAKE_CACHE_ARGS + -DCMAKE_INSTALL_PREFIX:PATH=${GRPC_INSTALL_DIR} + -DCMAKE_BUILD_TYPE:STRING=${CMAKE_BUILD_TYPE} + -DCMAKE_POSITION_INDEPENDENT_CODE:BOOL=${ENABLE_PIC} + -DgRPC_INSTALL:BOOL=OFF + # disable unused stuff + -DgRPC_BUILD_TESTS:BOOL=OFF + -DgRPC_BUILD_CSHARP_EXT:BOOL=OFF + -DgRPC_BUILD_GRPC_CSHARP_PLUGIN:BOOL=OFF + -DgRPC_BUILD_GRPC_NODE_PLUGIN:BOOL=OFF + -DgRPC_BUILD_GRPC_OBJECTIVE_C_PLUGIN:BOOL=OFF + -DgRPC_BUILD_GRPC_PHP_PLUGIN:BOOL=OFF + -DgRPC_BUILD_GRPC_PYTHON_PLUGIN:BOOL=OFF + -DgRPC_BUILD_GRPC_RUBY_PLUGIN:BOOL=OFF + # deps provided by us + # https://github.com/grpc/grpc/blob/v1.32.0/cmake/modules/Findc-ares.cmake + -DgRPC_CARES_PROVIDER:STRING=package + -Dc-ares_DIR:PATH=${CARES_SRC} + -Dc-ares_INCLUDE_DIR:PATH=${CARES_INCLUDE} + -Dc-ares_LIBRARY:PATH=${CARES_LIB} + # https://cmake.org/cmake/help/v3.6/module/FindProtobuf.html + -DgRPC_PROTOBUF_PROVIDER:STRING=package + -DCMAKE_CXX_FLAGS:STRING=-I${PROTOBUF_INCLUDE} + -DProtobuf_INCLUDE_DIR:PATH=${PROTOBUF_INCLUDE} + -DProtobuf_LIBRARY:PATH=${PROTOBUF_LIB} + -DProtobuf_PROTOC_LIBRARY:PATH=${PROTOC_LIB} + -DProtobuf_PROTOC_EXECUTABLE:PATH=${PROTOC} + # https://cmake.org/cmake/help/v3.6/module/FindOpenSSL.html + -DgRPC_SSL_PROVIDER:STRING=package + -DOPENSSL_ROOT_DIR:PATH=${OPENSSL_INSTALL_DIR} + -DOPENSSL_USE_STATIC_LIBS:BOOL=${GRPC_OPENSSL_STATIC_LIBS_OPTION} + # https://cmake.org/cmake/help/v3.6/module/FindZLIB.html + -DgRPC_ZLIB_PROVIDER:STRING=package + -DZLIB_ROOT:STRING=${ZLIB_SRC} + # RE2 + -DgRPC_RE2_PROVIDER:STRING=package + -Dre2_DIR:PATH=${RE2_DIR} + BUILD_IN_SOURCE 1 + BUILD_BYPRODUCTS ${GRPC_LIB} ${GRPCPP_LIB} ${GPR_LIB} ${GRPC_LIBRARIES} + # Keep installation files into the local ${GRPC_INSTALL_DIR} since here is the case when + # we are embedding gRPC + UPDATE_COMMAND "" + PATCH_COMMAND ${GRPC_PATCH_CMD} + INSTALL_COMMAND DESTDIR= ${CMAKE_MAKE_PROGRAM} install + ) + install( + FILES ${GRPC_MAIN_LIBS} + DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + ) + install( + FILES ${GRPC_LIBRARIES} + DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + ) + install( + DIRECTORY "${GRPC_SRC}/target/include/" + DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + ) + endif() +endif() + +if(NOT TARGET grpc) + add_custom_target(grpc) +endif() + +include_directories("${GRPC_INCLUDE}") diff --git a/cmake/modules/openssl.cmake b/cmake/modules/openssl.cmake new file mode 100644 index 00000000..06def028 --- /dev/null +++ b/cmake/modules/openssl.cmake @@ -0,0 +1,81 @@ +# SPDX-License-Identifier: Apache-2.0 +# +# Copyright (C) 2023 The Falco Authors. +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except +# in compliance with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software distributed under the License +# is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express +# or implied. See the License for the specific language governing permissions and limitations under +# the License. +# + +option(USE_BUNDLED_OPENSSL "Enable building of the bundled OpenSSL" ${USE_BUNDLED_DEPS}) + +if(OPENSSL_INCLUDE_DIR) + # we already have openssl +elseif(NOT USE_BUNDLED_OPENSSL) + find_package(OpenSSL REQUIRED) + message(STATUS "Found OpenSSL: include: ${OPENSSL_INCLUDE_DIR}, lib: ${OPENSSL_LIBRARIES}") +else() + if(BUILD_SHARED_LIBS) + set(OPENSSL_LIB_SUFFIX ${CMAKE_SHARED_LIBRARY_SUFFIX}) + set(OPENSSL_SHARED_OPTION shared) + else() + set(OPENSSL_LIB_SUFFIX ${CMAKE_STATIC_LIBRARY_SUFFIX}) + set(OPENSSL_SHARED_OPTION no-shared) + endif() + set(OPENSSL_BUNDLE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl") + set(OPENSSL_INSTALL_DIR "${OPENSSL_BUNDLE_DIR}/target") + set(OPENSSL_INCLUDE_DIR "${PROJECT_BINARY_DIR}/openssl-prefix/src/openssl/include/") + set(OPENSSL_LIBRARY_SSL "${OPENSSL_INSTALL_DIR}/lib/libssl${OPENSSL_LIB_SUFFIX}") + set(OPENSSL_LIBRARY_CRYPTO "${OPENSSL_INSTALL_DIR}/lib/libcrypto${OPENSSL_LIB_SUFFIX}") + set(OPENSSL_LIBRARIES ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO}) + + if(NOT TARGET openssl) + if(NOT ENABLE_PIC) + set(OPENSSL_PIC_OPTION) + else() + set(OPENSSL_PIC_OPTION "-fPIC") + endif() + + message(STATUS "Using bundled openssl in '${OPENSSL_BUNDLE_DIR}'") + + ExternalProject_Add( + openssl + PREFIX "${PROJECT_BINARY_DIR}/openssl-prefix" + URL "https://github.com/openssl/openssl/releases/download/openssl-3.1.4/openssl-3.1.4.tar.gz" + URL_HASH "SHA256=840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3" + CONFIGURE_COMMAND ./config ${OPENSSL_SHARED_OPTION} ${OPENSSL_PIC_OPTION} + --prefix=${OPENSSL_INSTALL_DIR} --libdir=lib + BUILD_COMMAND make + BUILD_IN_SOURCE 1 + BUILD_BYPRODUCTS ${OPENSSL_LIBRARY_SSL} ${OPENSSL_LIBRARY_CRYPTO} + INSTALL_COMMAND make install_sw + ) + install( + FILES "${OPENSSL_LIBRARY_SSL}" + DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + ) + install( + FILES "${OPENSSL_LIBRARY_CRYPTO}" + DESTINATION "${CMAKE_INSTALL_LIBDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + ) + install( + DIRECTORY "${OPENSSL_INCLUDE_DIR}" + DESTINATION "${CMAKE_INSTALL_INCLUDEDIR}/${LIBS_PACKAGE_NAME}" + COMPONENT "libs-deps" + ) + endif() +endif() + +if(NOT TARGET openssl) + add_custom_target(openssl) +endif() + +include_directories("${OPENSSL_INCLUDE_DIR}") diff --git a/falco.yaml b/falco.yaml index 69ac6e1c..4308bae9 100644 --- a/falco.yaml +++ b/falco.yaml @@ -460,12 +460,39 @@ engine: # For example, if you want to use the `k8saudit` plugin, # ensure it is configured appropriately and then change this to: # load_plugins: [k8saudit, json] -load_plugins: [] +load_plugins: [container] # Customize subsettings for each enabled plugin. These settings will only be # applied when the corresponding plugin is enabled using the `load_plugins` # option. plugins: + - name: container + # For a summary of config option, see https://github.com/FedeDP/container_plugin?tab=readme-ov-file#configuration + library_path: libcontainer.so + init_config: + verbosity: warning + label_max_len: 100 + with_size: false +# We use default config values for engine key. +# engines: +# docker: +# enabled: true +# sockets: [ '/var/run/docker.sock' ] +# podman: +# enabled: true +# sockets: [ '/run/podman/podman.sock', '/run/user/1000/podman/podman.sock' ] +# containerd: +# enabled: true +# sockets: [ '/run/containerd/containerd.sock' ] +# cri: +# enabled: true +# sockets: [ '/run/crio/crio.sock' ] +# lxc: +# enabled: false +# libvirt_lxc: +# enabled: false +# bpm: +# enabled: false - name: k8saudit library_path: libk8saudit.so init_config: "" @@ -1309,29 +1336,9 @@ falco_libs: thread_table_size: 262144 snaplen: 80 -# [Incubating] `container_engines` +# [Deprecated] `container_engines` # -# This option allows you to explicitly enable or disable API lookups against container -# runtime sockets for each supported container runtime. -# Access to these sockets enables Falco to retrieve container and Kubernetes fields, -# helping identify workload owners in modern containerized environments. -# Refer to the fields docs: -# -# - [Kubernetes fields](https://falco.org/docs/reference/rules/supported-fields/#field-class-k8s) -# - [Container fields](https://falco.org/docs/reference/rules/supported-fields/#container) -# -# Additionally, Falco can use container events as a data source for alerting (evt.type = container). -# -# For most container engines, you can solely enable or disable them, and Falco will search the -# default (hard-coded) container runtime socket paths, such as `/var/run/docker.sock` for Docker. -# -# However, for Kubernetes settings, you can customize the CRI socket paths: -# -# - `container_engines.cri.sockets`: Pass a list of container runtime sockets. -# - `container_engines.cri.disable_async`: Since API lookups may not always be quick or -# perfect, resulting in empty fields for container metadata, you can use this option option -# to disable asynchronous fetching. Note that missing fields may still occasionally occur. - +# The following options are deprecated and will be forwarded to the container plugin init_config. container_engines: docker: enabled: true diff --git a/userspace/falco/CMakeLists.txt b/userspace/falco/CMakeLists.txt index a67d8ab4..8d47d9d2 100644 --- a/userspace/falco/CMakeLists.txt +++ b/userspace/falco/CMakeLists.txt @@ -123,6 +123,7 @@ if(CMAKE_SYSTEM_NAME MATCHES "Linux" AND NOT MINIMAL_BUILD) "${PROTOBUF_LIB}" "${CARES_LIB}" "${OPENSSL_LIBRARIES}" + "${CURL_LIBRARIES}" ) endif() diff --git a/userspace/falco/app/actions/init_inspectors.cpp b/userspace/falco/app/actions/init_inspectors.cpp index 690c69ab..8e6d67a9 100644 --- a/userspace/falco/app/actions/init_inspectors.cpp +++ b/userspace/falco/app/actions/init_inspectors.cpp @@ -33,51 +33,6 @@ static void init_syscall_inspector(falco::app::state& s, std::shared_ptr inspector->set_buffer_format(event_buffer_format); - // - // Container engines - // - - // Debug log messages - if(s.config->m_container_engines_mask & (1 << CT_DOCKER)) { - falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'docker'"); - } - - if(s.config->m_container_engines_mask & (1 << CT_PODMAN)) { - falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'podman'"); - } - - if(s.config->m_container_engines_mask & - ((1 << CT_CRI) | (1 << CT_CRIO) | (1 << CT_CONTAINERD))) { - falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'CRI'"); - } - - if(s.config->m_container_engines_mask & (1 << CT_LXC)) { - falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'lxc'"); - } - - if(s.config->m_container_engines_mask & (1 << CT_LIBVIRT_LXC)) { - falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'libvirt_lxc'"); - } - - if(s.config->m_container_engines_mask & (1 << CT_BPM)) { - falco_logger::log(falco_logger::level::DEBUG, "Enabled container engine 'bpm'"); - } - - // Container engines configs via falco.yaml - inspector->set_container_engine_mask(s.config->m_container_engines_mask); - for(auto& p : s.config->m_container_engines_cri_socket_paths) { - if(!p.empty()) { - inspector->add_cri_socket_path(p); - falco_logger::log(falco_logger::level::DEBUG, - "Enabled container runtime socket at '" + p + "' via config file"); - } - } - - inspector->set_cri_async(!s.config->m_container_engines_disable_cri_async); - if(s.config->m_container_engines_disable_cri_async) { - falco_logger::log(falco_logger::level::DEBUG, "Disabling async lookups for 'CRI'"); - } - // // If required, set the snaplen. // diff --git a/userspace/falco/configuration.cpp b/userspace/falco/configuration.cpp index 27f439cb..6d740c1b 100644 --- a/userspace/falco/configuration.cpp +++ b/userspace/falco/configuration.cpp @@ -96,12 +96,7 @@ falco_configuration::falco_configuration(): m_metrics_flags(0), m_metrics_convert_memory_to_mb(true), m_metrics_include_empty_values(false), - m_plugins_hostinfo(true), - m_container_engines_mask(0), - m_container_engines_disable_cri_async(false), - m_container_engines_cri_socket_paths({"/run/containerd/containerd.sock", - "/run/crio/crio.sock", - "/run/k3s/containerd/containerd.sock"}) { + m_plugins_hostinfo(true) { m_config_schema = nlohmann::json::parse(config_schema_string); } @@ -699,31 +694,59 @@ void falco_configuration::load_yaml(const std::string &config_name) { m_watch_config_files = m_config.get_scalar("watch_config_files", true); - if(m_config.get_scalar("container_engines.docker.enabled", true)) { - m_container_engines_mask |= (1 << CT_DOCKER); + load_container_config(); +} + +void falco_configuration::load_container_config() { + // Find container plugin + const std::string *init_cfg; + for(const auto &p : m_plugins) { + if(p.m_name == "container") { + // Store the point to be later overridden + init_cfg = &p.m_init_config; + } } - if(m_config.get_scalar("container_engines.podman.enabled", true)) { - m_container_engines_mask |= (1 << CT_PODMAN); + + if(m_config.is_defined("container_engines.docker.enabled")) { + const auto docker_enabled = + m_config.get_scalar("container_engines.docker.enabled", true); + // TODO update init_cfg } - if(m_config.get_scalar("container_engines.cri.enabled", true)) { - m_container_engines_mask |= ((1 << CT_CRI) | (1 << CT_CRIO) | (1 << CT_CONTAINERD)); - m_container_engines_cri_socket_paths.clear(); - m_config.get_sequence>(m_container_engines_cri_socket_paths, - "container_engines.cri.sockets"); - m_container_engines_disable_cri_async = - m_config.get_scalar("container_engines.cri.disable-cri-async", false); + + if(m_config.is_defined("container_engines.podman.enabled")) { + const auto podman_enabled = + m_config.get_scalar("container_engines.podman.enabled", true); + // TODO update init_cfg } - if(m_config.get_scalar("container_engines.lxc.enabled", true)) { - m_container_engines_mask |= (1 << CT_LXC); + + if(m_config.is_defined("container_engines.cri.enabled")) { + const auto cri_enabled = m_config.get_scalar("container_engines.cri.enabled", true); + // TODO update init_cfg + + if(cri_enabled) { + std::vector cri_socket_paths; + m_config.get_sequence>(cri_socket_paths, + "container_engines.cri.sockets"); + auto disable_cri_async = + m_config.get_scalar("container_engines.cri.disable-cri-async", false); + // TODO update initcfg + } } - if(m_config.get_scalar("container_engines.libvirt_lxc.enabled", true)) { - m_container_engines_mask |= (1 << CT_LIBVIRT_LXC); + + if(m_config.is_defined("container_engines.lxc.enabled")) { + const auto lxc_enabled = m_config.get_scalar("container_engines.lxc.enabled", true); + // TODO update init_cfg } - if(m_config.get_scalar("container_engines.rocket.enabled", true)) { - m_container_engines_mask |= (1 << CT_RKT); + + if(m_config.is_defined("container_engines.libvirt_lxc.enabled")) { + const auto libvirt_lxc_enabled = + m_config.get_scalar("container_engines.libvirt_lxc.enabled", true); + // TODO update init_cfg } - if(m_config.get_scalar("container_engines.bpm.enabled", true)) { - m_container_engines_mask |= (1 << CT_BPM); + + if(m_config.is_defined("container_engines.bpm.enabled")) { + const auto bpm_enabled = m_config.get_scalar("container_engines.bpm.enabled", true); + // TODO update init_cfg } } diff --git a/userspace/falco/configuration.h b/userspace/falco/configuration.h index 6110352a..d7cdb6bc 100644 --- a/userspace/falco/configuration.h +++ b/userspace/falco/configuration.h @@ -199,11 +199,6 @@ public: std::vector m_plugins; bool m_plugins_hostinfo; - // container engines - uint64_t m_container_engines_mask; - uint64_t m_container_engines_disable_cri_async; - std::vector m_container_engines_cri_socket_paths; - // Falco engine engine_kind_t m_engine_mode = engine_kind_t::KMOD; kmod_config m_kmod = {}; @@ -218,6 +213,7 @@ public: private: void merge_config_files(const std::string& config_name, config_loaded_res& res); void load_yaml(const std::string& config_name); + void load_container_config(); void init_logger(); void load_engine_config(const std::string& config_name); void init_cmdline_options(const std::vector& cmdline_options); diff --git a/userspace/falco/outputs_http.h b/userspace/falco/outputs_http.h index 653872b8..5cb85f5c 100644 --- a/userspace/falco/outputs_http.h +++ b/userspace/falco/outputs_http.h @@ -18,6 +18,8 @@ limitations under the License. #pragma once #include "outputs.h" +#include +#include namespace falco { namespace outputs {